TL;DR: China’s Cybersecurity Law (CSL) is the foundational law regulating network operations, personal data handling, and critical infrastructure in China. First enacted in 2017, it has paved the way for laws like the Personal Information Protection Law (PIPL) and Data Security Law (DSL). Recent 2025 amendments aim to strengthen enforcement and align the CSL with evolving global cybersecurity challenges. The CSL applies to both domestic and international businesses offering network services or handling user data in China.

Disclaimer: This guide is intended for informational purposes only and does not constitute legal advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.

What is the Cybersecurity Law (CSL)?

The Cybersecurity Law of the People's Republic of China (CSL) is a comprehensive legal framework that came into effect on June 1, 2017. It’s aimed at regulating cyberspace and improving information network security in China. Administered by the Cyberspace Administration of China (CAC), it sets out obligations around network operations, data protection, and national security.

The law was the first to formally introduce concepts like data localization, critical infrastructure oversight, and personal information protection, paving the way for more specific legislation like the Personal Information Protection Law (PIPL) and Data Security Law (DSL).

Who does the CSL apply to?

The CSL applies to a broad range of entities, including:

Network operators – any organization or individual that owns or administers a network or provides network services (e.g., websites, platforms, apps).

Critical Information Infrastructure Operators (CIIOs) – organizations in sectors like finance, telecom, energy, and public services whose systems, if compromised, could impact national security or public interest

This includes foreign and offshore businesses that process personal data or offer network services to users in Mainland China.

Key compliance requirements under the CSL

Some examples of the obligations under the CSL include:

Data localization: CIIOs must store personal and important data within Mainland China. If cross-border transfer is necessary, it must pass a security assessment administered by the CAC. (Article 37)

Information protection systems: Maintaining the confidentiality of user information collected, and establishing and completing user information protection systems. (Article 40)

User consent and transparency: Abiding by the principles of legality, propriety, and necessity; publishing rules for collection and use, explicitly stating the purposes, means, and scope for collecting or using information, and obtaining the consent of the persons whose data is gathered. (Article 41)

Data integrity and non-disclosure: Network operators must not disclose, tamper with, or destroy personal information they gather; and, absent the consent of the person whose information was collected, must not provide personal information to others. (Article 42)

Prohibited activities: Individuals or organizations must not steal or use other illegal methods to acquire personal information, and must not unlawfully sell or unlawfully provide others with personal information. (Article 44)

How does CSL relate to other data laws?

The CSL is considered the foundational layer of China’s three-part data regulation framework:

Cybersecurity Law (CSL) - focuses on network security, infrastructure, and data handling responsibilities.

Data Security Law (DSL) - focuses on national security and "important data" classification.

Personal Information Protection Law (PIPL) - focuses on personal data rights, consent, and cross-border rules.

Together, these laws create a multi-dimensional framework that businesses must navigate when operating in or engaging with the Chinese market.

2025 changes to China’s Cybersecurity Law

China’s Cybersecurity Law (CSL) underwent proposed amendments in 2025, with a new draft issued by the Cyberspace Administration of China (CAC) on March 28, 2025.

The amendments aim to:

Achieve legal alignment with newer laws (PIPL and DSL were enacted in 2021)

Strengthen enforcement to deter violations

Enhance risk prevention against evolving cyber threats

Adapt to geopolitical and international cybersecurity challenges.

Some of the changes include:

Tiered penalties based on the severity of violations (Article 59).

Increasing penalties to handle illegal content (merging Articles 68 and 69).

New articles to ensure that only certified cybersecurity products are sold in China (Article 61)

A flexible penalty system to encourage voluntary compliance (Article 72).

Expanded scope to include “websites and applications” (Articles 62, 63)

Unified regulation of illegal content and personal data violations. (Article 71)

These updates are designed to further standardize enforcement and close regulatory gaps, particularly around emerging technologies and cross-border data risks.

Additional considerations

1. Data localization requirements:

While the CSL explicitly mandates data localization for Critical Information Infrastructure Operators (CIIOs), businesses that are not formally designated as CIIOs should still remain cautious. In practice, regulators may require data localization from companies in sectors deemed sensitive or strategically important, such as healthcare, transportation, and cloud services. This means that businesses, including those outside typical CIIO categories, should evaluate whether their data storage and handling practices align with CAC expectations, particularly when personal or important data is involved.

2. Extraterritorial scope and impact:

A notable feature of the CSL is its broad applicability, extending to both domestic and foreign entities that operate networks or handle user data in Mainland China. This includes international websites, apps, and platforms accessible to Chinese users, regardless of whether they have a physical presence in China. As a result, foreign businesses that serve Chinese users should proactively assess their exposure under the CSL, including how they collect, process, store, and transfer data. Failure to comply can result in service bans, financial penalties, or even blacklisting by Chinese regulators.

3. Increasing regulatory scrutiny and enforcement:

Enforcement of the CSL has intensified in recent years, with Chinese authorities leveraging site inspections, data audits, and public notices to ensure compliance. Regulatory crackdowns have extended to both domestic giants and foreign firms. Businesses found to be in violation of the CSL have faced fines, public reprimands, and, in severe cases, mandatory suspension of operations. The 2025 amendments are expected to further streamline enforcement, reinforce penalty structures, and encourage self-reporting or voluntary rectification measures as part of a more “compliance-incentive” framework.

4. Sector-specific and overlapping compliance obligations:

The CSL requirements often overlap with those of the PIPL, DSL, and other sector-specific regulations. For example, cloud service providers may need to comply with both CSL data security requirements and DSL classifications of “important data,” while platforms collecting user information must also meet PIPL consent and cross-border transfer standards.

Businesses are advised to approach compliance holistically, coordinating across legal, IT, and operations teams to address the cumulative obligations of China’s data governance landscape.

Chinafy collaborates with specialized partners, such as Lianwei Pancloud, and MS Advisory, who can provide guidance on laws like the CSL, PIPL, and DSL.

Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.